Laminator: Verifiable ML Property Cards using Hardware-assisted Attestations

TL;DR

Laminator introduces a hardware-assisted framework for creating verifiable ML property cards, enhancing transparency and trustworthiness in machine learning models through efficient attestations within trusted execution environments.

Contribution

The paper presents Laminator, the first framework leveraging TEEs for verifiable ML property cards, enabling efficient, scalable, and versatile attestations across the ML pipeline.

Findings

Laminator achieves low overhead in attestation processes.

The framework supports a wide range of ML property attestations.

Laminator scales effectively to numerous verifiers.

Abstract

Regulations increasingly call for various assurances from machine learning (ML) model providers about their training data, training process, and model behavior. For better transparency, industry (e.g., Huggingface and Google) has adopted model cards and datasheets to describe various properties of training datasets and models. In the same vein, we introduce the notion of inference cards to describe the properties of a given inference (e.g., binding of the output to the model and its corresponding input). We coin the term ML property cards to collectively refer to these various types of cards. To prevent a malicious model provider from including false information in ML property cards, they need to be verifiable. We show how to construct verifiable ML property cards using property attestation, technical mechanisms by which a prover (e.g., a model provider) can attest to various ML properties to a verifier (e.g., an auditor). Since prior attestation mechanisms based purely on cryptography are often narrowly focused (lacking versatility) and inefficient, we need an efficient mechanism to attest different types of properties across the entire ML model pipeline. Emerging widespread support for confidential computing has made it possible to run and even train models inside hardware-assisted trusted execution environments (TEEs), which provide highly efficient attestation mechanisms. We propose Laminator, which uses TEEs to provide the first framework for verifiable ML property cards via hardware-assisted ML property attestations. Laminator is efficient in terms of overhead, scalable to large numbers of verifiers, and versatile with respect to the properties it can prove during training or inference.